Personalized Community is here!
Quickly customize your community to find the content you seek.
Check out the latest Customer Service updates!Learn about the key capabilities and features of Dynamics 365 Customer Service and experience some of the new features.
Download overview guide | Watch Customer Service video
2020 Release Wave 2Discover the latest updates and new features to Dynamics 365 planned through March 2021.
Release overview guides and videos Release Plan | Preview 2020 Release Wave 2 TimelineWatch the 2020 Release Wave 1 virtual launch event
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Upcoming TechTalks
We are about to use Dynamics 365 CRM online and we are new in this area.
...User is logged in using SSO.
Now to my questions...
Alternative 1 Our solution architect want us to use a LogicApp, triggered by create/update on the contact entity, to pick up the loggedin users user access token and send it as Authorization header with the call to our onprem rest service.
As far as I can see this is not possible as the LogicApp is running in its own process (kind of as a windows service). Am I wrong?
We have been looking into other different options instead;
Alternative 2 We have been looking at using a Plugin but fails to get hold of the user access token. It is possible, though, to get hold of the application access token but that is not good enough for my client. Is it even possible? If possible, does anyone have an example of how it is done?
We know how to get the user access token in a console application after logging in with SSO. And we know how to get the user access token in an ASPNET MVC application. But now... this is Dynamics 365 CRM online.
We need the user access token because we want the user information to be sent to API.
Are there any other options? We have been looking into this for a week or so...
First let me clear something , logic apps live on Azure and not in a Windows Process.
Second, these kind of integrations are best suited if you can use Azure AD, if you do that, then your users, logic apps and your on-prem service can be authenticated by Azure AD. Now because I don't know the details, my suggestion is a high level one. There are ways to register your onprem API as an "app registration" in Azure AD which makes it accessible by the Logic app without sending tokens in headers. This explains the way to do that https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-custom-api-authentication
Thanks for your insights.
Yes, it is true it is no windows process. I just compared the logic app to a windows service in the manner they both run in their own process for the case.
It was a good example you sent with the link how to access using app registration. I guess that is what we will end up doing.
Though I have realized that my client is mixing authentication/authorization and tracing of user. We sure can handle the authentication/authorization using azure AD (since thats what we are using and also what you are suggesting). But what they really want is to trace that it is the user sitting in front of the computer, logged in to D365 CRM, that is calling the api.
I believe that is not possible, right? We cannot grab that users token and send it down the line from D365 CRM -> LogicApp -> onprem API. We need instead to somehow pick up that users id (for tracing purposes) and send it along with the call to our onprem API.
Thanks for the reply. I imagine if Azure AD is at the center of authentication for the different parts of the process, can't you use it to identify the user for you? Azure AD has an exposed API that does such things (I believe it is called Azure AD Graph API), basically, the part that needs the user info (your on prem API in that case) can ask Azure AD about more user information of that user issuing the request. I don't have a step by step guide for that but from my understanding of the whole process, I think it can be done.
Also, if you manage to do it, please share it here as I'm interested to know how things ended up implemented :)
Business Applications communities